[
https://issues.apache.org/jira/browse/GEODE-396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14961352#comment-14961352
]
ASF subversion and git services commented on GEODE-396:
-------------------------------------------------------
Commit 03e593dee378aad86ac31b524dd30ccad8405bfb in incubator-geode's branch
refs/heads/develop from [~dschneider]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=03e593d ]
GEODE-396: Fix server to use server/gateway ssl config
The AcceptorImpl now keeps the non-default SocketCreator it makes
with the server/gateway ssl and uses it for all connections
from the client instead of the default cluster ssl config.
The extra logging done by the server that included the keystore
and truststore passwords (in clear text) has been removed.
Added unit test that reproduced this bug.
> One way SSL authentication between client and server fails
> ----------------------------------------------------------
>
> Key: GEODE-396
> URL: https://issues.apache.org/jira/browse/GEODE-396
> Project: Geode
> Issue Type: Bug
> Components: core
> Reporter: Darrel Schneider
> Assignee: Darrel Schneider
>
> If the {{{server-ssl-require-authentication}}} property is configured like
> below so that clients aren't required to be SSL-authenticated by the server:
> On client: {{{server-ssl-require-authentication=true}}}
> On server: {{{server-ssl-require-authentication=false}}}
> Then, this exception occurs on the server:
> {{{
> [severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor
> 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in
> authenticating peer /192.168.2.12[63,528].
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
> at
> com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
> at
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
> at
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
> at java.lang.Thread.run(Thread.java:745)
> }}}
> This happens because the {{{AcceptorImpl accept}}} method uses the default
> {{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the
> {{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured
> using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}}
> properties.
> The attached test reproduces this issue, and the attached patch is a
> potential fix for it.
> Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor
> logs the message below. It should not be doing this since the value of
> jaax.net.ssl properties can contain sensitive data.
> {{{
> [info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting
> CacheServer with SSL config : Authentication Required true Ciphers any
> Protocols any Other Properties -- listing properties --
> javax.net.ssl.keyStoreType=jks
> javax.net.ssl.trustStorePassword=password
> javax.net.ssl.keyStorePassword=password
> javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
> javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
> }}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
